Unified Communications Security - CLIPSHAM IT

February, 2011

Unified Communications Security: A Best-inClass Strategy to Unleash Value The value of Unified Communications (UC) fundamentally comes from aligning enterprise communications capabilities to the needs of the organization. These needs include the ability to improve productivity, raise service metrics, and reducing human latency. However, before all this can occur, businesses must be sure that their collaborative approaches are secure and compliant to ensure that business gains are not offset by new liabilities. Based on 299 organizations ranging from small business to global enterprises interviewed throughout 2010, this research will show the business value that has been achieved through the successful adoption and deployment of Unified Communications security approaches.

Research Brief Aberdeen’s Research Briefs provide a detailed exploration of a key finding from a primary research study, including key performance indicators, Bestin-Class insight, and vendor insight.

Defining Best-in-Class Approaches to Unified Communications Unified Communications can be a nebulous concept and has been defined in many different ways. Some sources define Unified Communications simply as next-generation IP telephony while others vaguely guess that Unified Communications can be any combination of messaging modalities. This report will focus specifically on enterprise Unified Communications including the integration of voice with additional communications services optimized for business needs. These services may include features such as instant messaging, presence, web and video conferencing, call control, and unified messaging based on the needs of the organization. With the advent of true Unified Communications, a number of organizations have successfully associated their deployments with business value. To gain greater perspective in successful UC deployments, Aberdeen explored a wide variety of organizations ranging from 21% of respondents defined as small organizations (defined as those under 50 employees) to 25% of respondents labeled as large enterprises (defined as those over 5,000 employees). These Best-in-Class companies (defined on the right) did not simply deploy every potential technology and flood employees with a panoply of different options. Instead, these organizations focused on three key differentiating themes: security, mobility, and business process alignment.

Best-in-Class Definition Based on the top 20% of respondents, Aberdeen's Bestin-Class organizations were defined as those that: √ Saw a 53% improvement in customer service metrics after implementing Unified Communications √ Saw a 49% improvement in workforce productivity metrics after implementing Unified Communications √ Were able to contact a desired employee within 10 minutes.

From a security perspective, Aberdeen found that only 28% of respondents currently had a security solution that was robust enough to handle real-time usage and monitoring for voice, video, social media, and other collaborative tools used by employees. Although Best-in-Class companies had 48% adoption, this still means that even a majority of top organizations lack the ability to fully manage Unified Communications to ensure that governance, This document is the result of primary research performed by Aberdeen Group. Aberdeen Group's methodologies provide for objective fact-based research and represent the best analysis available at the time of publication. Unless otherwise noted, the entire contents of this publication are copyrighted by Aberdeen Group, Inc. and may not be reproduced, distributed, archived, or transmitted in any form or by any means without prior written consent by Aberdeen Group, Inc.

Unified Communications Security: A Best-in-Class Strategy to Unleash Value Page 2

risk management, and compliance (GRC) issues are being fully met. (Figure 1) Figure 1: Best-in-Class Are More Likely To Have Security

48% Security solution for real-time Unified Communications

36%

19%

Best-in-Class Industry Average Laggards

0%

20%

40%

60%

Percentage of Respondents (n=228)

Source: Aberdeen Group, December 2010

This lack of control is worrisome, especially for respondents in highly regulated areas such as financial services or healthcare. In September 2009, respondents were asked about the maximum possible cost of a single lapse in compliance for a number of different issues based on the loss of a mobile device. When these values were averaged, several verticals stood out as key compliance risks where the value of security had already been quantified including Financial Services, Retail, and Healthcare (Figure 2). Figure 2: Maximum Cost For A Single Lapse in Compliance Sarbanes-Oxley

$2,100,000

Global Privacy Regulations

$1,500,000

Securities and Exchange Commission (SEC) Regulations

$1,400,000

PCI DSS

$1,300,000

Health Insurance Portability and Accountability Act (HIPAA) $-

$1,100,000

$500,000

$1,000,000

$1,500,000

$2,000,000

$2,500,000

Maximum cost for a single lapse (n=38)

Source: Aberdeen Group, September 2009

© 2011 Aberdeen Group. www.aberdeen.com

Telephone: 617 854 5200 Fax: 617 723 7897


However, privacy and payment issues expand beyond specific vertical needs and identify a potential vulnerability that could affect the general enterprise.

It All Starts With Security To better understand the value brought to end users by having Unified Communications security, Aberdeen asked organizations with mature Unified Communications deployments about the value propositions that they recognized. These respondents were then broken up into three categories: •

Those using a Unified Communications security solution

•

Those planning to implement Unified Communications security in the next 12 months

•

Those with no plans to implement Unified Communications security

When these three subsets were compared, companies with security were more likely to identify their communications deployments with productivity, job satisfaction, and improved work-life balance. 94% of organizations with a security solution stated that enhanced collaborative teamwork was directly related to Unified Communications compared to only 53% of those with no security plans (Figure 3). Figure 3: What Has Unified Communications Done For You? 94%

Enhanced collaborative teamwork

73% 53% 84%

Made me more productive

Increased my job satisfaction

69% 58% 45% 36% 11% 43%

Improved my control of the work/life balance

0%

UC Security Solution

33% 19% 10%

20%

Plan to Implement UC Security in the Next 12 Months No Plans to Use

30%

40%

50%

60%

70%

80%

90% 100%

Percentage of Respondents n(UC)=49, n(Plan)=55, n(No Plans)=36


The value proposition for Unified Communications security started at inception as new communications solutions were purchased and deployed. Although the additional step of including a security solution in the project plan of a UC implementation would seem to add additional time, this assumption was proven false through the data collected. In fact, companies © 2011 Aberdeen Group. www.aberdeen.com

Telephone: 617 854 5200 Fax: 617 723 7897


with a security solution averaged 12 months to complete the initial implementation of a Unified Communications solution compared to 17-18 months for the typical organization lacking a security solution (Figure 4). Figure 4: Security Helped Implement UC More Quickly

22% Currently use teambased collaborative messaging tools

27% 70%

No Security Plans 22% Plan to implement in the next 12 months

63%


26%

0%

10%

20%

30%

Plan to Implement UC Security in the Next 12 Months

40%

50%

60%

70%

80%

Percentage of Respondents n(No)=46, n(Plan)=55, n(Current)=46


This accelerated implementation came from a number of different propositions. One of the greatest challenges for organizations seeking to implement Unified Communications is moving from a dedicated and fixed communications structure to a complicated, converged, and nonstandardized communications environment. This concern around converged communications ranked second only to implementation costs as a top worry for enterprises. A robust Unified Communications security solution can answer many of network and endpoint access and monitoring challenges which organizations with traditional TDM (Time-Division Multiplexing) environments or limited SIP (Session Initiation Protocol) trunking may ask. By providing an integrated solution to secure networks and endpoints, manage and encrypt usage, support identity and access issues, and provide threat detection, these solutions can allow organizations to seek greater functionality without losing the safety traditionally associated with a dedicated telephony network and endpoints. As a result, the time spent with security solutions on the front-end led to the ability to launch greater functionality with fewer debates, challenges, and workarounds as Unified Communications solutions were launched throughout the enterprise to all employees, including remote employees and branch offices. © 2011 Aberdeen Group. www.aberdeen.com

Telephone: 617 854 5200 Fax: 617 723 7897


Security Provides Freedom of Choice Although security and freedom are often seen as counterbalancing tradeoffs, Aberdeen research suggests that the opposite is true for Unified Communications and that security can actually lead to more opportunities for end-users. As an example, organizations were asked about their use of instant messaging, mobile wikis, and micro-blogging within their workplace. 70% of organizations with a security solution used these short messaging capabilities on a regular basis, which nearly tripled the adoption by all other organizations (Figure 5). Figure 5: Adopting Team-Based Collaborative Messaging

22% Currently use teambased collaborative messaging tools

27% 70%

No Security Plans 22% Plan to implement in the next 12 months

63%


26%

0%

10%

20%

30%


40%

50%

60%

70%

80%



By having a secure and compliant archive for appropriate regulatory issues on the one hand and management and access control to prevent conflict-ofinterest communications from occurring, employees actually gained another tool on an as-needed basis. The use of instant messaging, microblogging, and status updates in enterprise communications shows high correlation with security. 63% of organizations planning to implement UC security in the next 12 months also plan to implement these messaging and status capabilities as well, showing that the concern for safe messaging exists in the enterprise market. To live up to its name, Unified Communications is quickly gaining additional functionalities such as integration with social media. In research for the August 2010 report, Transforming Information Overflow to Improve Business Performance, Aberdeen asked how companies were pursuing collaboration solutions and which technologies were significant contributors to their collaboration strategies. Although knowledge management and Unified Communications were important aspects of enterprise collaboration, social © 2011 Aberdeen Group. www.aberdeen.com

Telephone: 617 854 5200 Fax: 617 723 7897


media technologies have gained adoption in a number of organizations (Table 1).

Table 1: Key Collaboration Technologies Technology

Adoption

Plans to Adopt

Enterprise Content Management

52%

18%

Unified Communications

48%

18%

Blogs

36%

25%

Enterprise Social Networking

35%

29%

Wikis (collaborative website that can be edited by a group)

30%

22%

Source: Aberdeen Group (n=374), August 2010

With the emergence of social media, the enterprise needs to secure and integrate social media within a more formalized communications deployment. Considering that the use of blogs, wikis, and enterprise-specific social networking tools are quickly approaching parity with Unified Communications, forward-looking organizations seek a solution to securely manage all collaborative interactions that employees have on behalf of the company. Over one-third of organizations with a security solution had social media integration with Unified Communications, whereas this integration had barely begun for all other companies (Figure 6).


Telephone: 617 854 5200 Fax: 617 723 7897


Figure 6: Enterprise Social Security with UC

13% Plan to Implement in the Next 12 Months

59% 34%

No Security Plans 1% Currently Use Social Media Integration with UC


5% 36%


0%

10%

20%

30%

40%

50%

60%

70%



As established before, this security is not simply a proscriptive set of restrictions for the employee, but also ensures that employees do not cripple the network and endpoints and professional standards are effectively met. For instance, healthcare professionals must not only consider the use of personally identifiable information (PII), but also think about the specific use of personal health information (PHI) based on HIPAA and HITECH legislation or other privacy regulations and only share that information in appropriate areas.

Security Can Improve Convenience Over the past three years, Aberdeen has seen a massive shift in enterprise mobility adoption. Businesses are now adopting smartphones from a variety of platforms to a greater extent than ever before. In the December 2009 report Enterprise Mobile Strategies 2010: More Mobility, Same Budget, Aberdeen demonstrated how employee-liable smartphones and new mobile platforms are creating support problems for organizations seeking to manage enterprise mobility. However, companies with a Unified Communications security solution are twice as likely as all other organizations to integrate smartphones with Unified Communications (Figure 7).


Telephone: 617 854 5200 Fax: 617 723 7897


Figure 7: Smartphones Integrated Into Unified Communications No Security Plans 13% Plan to use as part of UC solution within 12 months


26%


9%

31% Currently use smartphones as part of the UC solution

33% 62%

0%

10%

20%

30%

40%

50%

60%

70%



From a Unified Communications perspective, there are multiple security vulnerabilities associated with the smartphone: •

The smartphone, itself, as a mobile endpoint that can physically hold data and be exposed to non-compliant situations and software applications.

•

The cellular or WLAN network used to transport information, which may include non-protected networks.

•

Access management issues associated with the interconnects between UC infrastructure and mobile endpoints.

Organizations can struggle to integrate the communications endpoint device preferred by employees (the smartphone) with the infrastructure that provides the greatest flexibility and business process alignment to the organization (a Unified Communications suite). By securing the smartphone, companies can integrate employee preferences with enterprise needs to improve work-life balance and human latency. In September 2010, Aberdeen studied the challenges of network, endpoint and end-user security to discover how network connectivity and communications were protected by the enterprise. In doing so, we found that Best-in-Class security was not simply a matter of a healthy firewall or patch management capabilities; these are standard approaches that ignore the complexity of endpoints and communications. In today's environment, Best-in-Class organizations that reduce security incidents and audit deficiencies were over twice as likely to have contextualized network access for endpoints compared to the bottom 80% of respondents. This access © 2011 Aberdeen Group. www.aberdeen.com

Threats to Unified Communications Security issues affecting Unified Communications deployments can include the following: √ SIP scanning - Tools which call every device on your PBX seeking a hackable device √ Voice over IP hacking - Toll fraud directly conducted through your Unified Communications √ Voice over IP-based phishing (often called Vishing) Trusted contact information used to gain personal details √ SWATing - Spoofed Caller ID used to call emergency services √ Eavesdropping - Voice communications insufficiently encrypted can be intercepted and overheard

Telephone: 617 854 5200 Fax: 617 723 7897


must be dependent on policy issues such as location, endpoint type, job role, level of identify management, use of public networks, compliance issues for data at rest and data in transit, and applications supported in an enterprise communications environment.

Uniting Communications and Business Applications The goal of a Unified Communications solution is not simply to aggregate all communications capabilities, but to improve business outcomes and increase collaboration throughout the organization. Collaboration is not just a synonym for communications; collaboration should be seen as a focused effort by multiple individuals to complete business imperatives. To effectively do this, teams should be able to share and analyze key information as quickly as possible. However, this need to share must be balanced by the need to protect the organization. Two-thirds of companies with a security solution have achieved some level of business application integration whereas less than 10% of the other 143 respondents answering this question had done so (Figure 8). Figure 8: UC and Business Application Integration

15% Plan to Implement in the Next 12 Months

74% 19%

No Security Plans Currently Use Integration of UC With Other Business Applications

0%

3% Plan to Implement UC Security in the Next 12 Months

11% 67%

10%

20%

30%

40%

50%

60%

70%


80%



As Figure 8 shows, 74% of companies planning to implement UC security are also planning to integrate UC with business applications. This is a critical step to improve service responsiveness, react to critical threats, and accelerate the marketing funnel and sales cycle. However, this integration requires companies to support secure identity authentication to ensure that enterprise data and application access is limited to the stakeholders who should be able to see trade secrets, PII, and other potentially damaging information. © 2011 Aberdeen Group. www.aberdeen.com

Telephone: 617 854 5200 Fax: 617 723 7897


Since only 28% of organizations currently have a Unified Communications security solution, the majority of companies are failing to unlock this advanced level of value and increase the ROI of their unified communications solution. To effectively transform their Unified Communications solution into integrated applications that improve collaboration and business outcomes, companies must have a UC solution that is secure and compliant with the same standards as all enterprise applications.

Key Insights Unified Communications security is not simply a checkbox on a long list of recommended requirements. It is a key prerequisite for unlocking the added value proposition that Unified Communications provides in conjunction with social media, mobility, and business applications. To optimize the value of a Unified Communications deployment, Aberdeen provides the following suggestions. •

Understand the role of UC security in improving the work environment. Organizations with a UC security solution are able to pursue social media, mobility and application integration far more easily than organizations lacking these capabilities. Although your organization may not be pursuing all of these options, the Aberdeen community has shown that these successful integrations largely depend on a reliable and thorough security solution. Before pursuing integration, make sure that your security solution will cover all aspects of security and compliance that can be monitored.

•

Consider the strategic value of Unified Communications to the organization. Although UC may simply be seen as an upgrade from a TDM PBX or IP telephony solution, there are many additional value-added opportunities that affect the entire enterprise whether it be supply chain collaboration, customer service, or marketing enablement. As the organization progresses from unifying communications to integrating communications with other key business technologies, employees become more productive and even identify these communications as a competitive advantage for work-life balance and employee retention.

•

Provide appropriate infrastructure to support employees. It is vital to understand the types of collaboration that employees want. In today's age of social media, mobility, and ever-changing consumer technologies, employees are shifting their communications preferences more quickly than ever before. If the organization doesn't provide a secure channel, individuals will purse unsafe channels that may put the business at risk. Be proactive in your communications investments and choose a flexible platform that can support the current and future collaborative needs of the business.


Telephone: 617 854 5200 Fax: 617 723 7897


To gain the benefits of integrated communications deployments and enhanced collaboration environments, companies using UC must consider the value provided by a security solution that controls access, policy management, encryption, and secured communications to many endpoints. For more information on this or other research topics, please visit www.aberdeen.com.

Related Research Secure Real-Time Unified Communications: Safe Connections While On the Move; October 2009

Unified Communications: Unleashing Transformation, Efficiency, Collaboration, and Compliance; March 2010

Wireless Expense Management: Controlling the Invasion of Personal Cell Phones; October 2009

Unified Communications: Improve Customer Satisfaction and Workforce Productivity; May 2010

Enterprise Mobile Strategies 2010: More Mobility, Same Budget; December 2009

Transforming Information Overflow to Improve Business Performance; August 2010

Going Mobile: Securing and Managing Smart Phones, USB Drives, and Other Mobile Endpoint Devices; January 2010

Five Key Capabilities for Gaining Visibility and Control over Your Network Devices, Endpoints and End-Users; September 2010

Author: Hyoun Park, Research Analyst, Telecom and Unified Communications ([email protected]) For more than two decades, Aberdeen's research has been helping corporations worldwide become Best-in-Class. Having benchmarked the performance of more than 644,000 companies, Aberdeen is uniquely positioned to provide organizations with the facts that matter — the facts that enable companies to get ahead and drive results. That's why our research is relied on by more than 2.5 million readers in over 40 countries, 90% of the Fortune 1,000, and 93% of the Technology 500. As a Harte-Hanks Company, Aberdeen’s research provides insight and analysis to the Harte-Hanks community of local, regional, national and international marketing executives. Combined, we help our customers leverage the power of insight to deliver innovative multichannel marketing programs that drive business-changing results. For additional information, visit Aberdeen http://www.aberdeen.com or call (617) 854-5200, or to learn more about Harte-Hanks, call (800) 456-9748 or go to http://www.harte-hanks.com. This document is the result of primary research performed by Aberdeen Group. Aberdeen Group's methodologies provide for objective fact-based research and represent the best analysis available at the time of publication. Unless otherwise noted, the entire contents of this publication are copyrighted by Aberdeen Group, Inc. and may not be reproduced, distributed, archived, or transmitted in any form or by any means without prior written consent by Aberdeen Group, Inc. (2011a)


Telephone: 617 854 5200 Fax: 617 723 7897